Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 3768 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Suggestions - VPN

Louis-M

I seem to be hitting a hurdle with Sophos & Microsoft with regards VPN so looking for some suggestions.

Requirement are:

1. Easy to deploy eg to 200 clients
2. Transparent to the end user ie no manually connecting. It has to be auto.

Now straight away, we would go Microsoft DirectAccess (DA) That worked until M$ broke it with Windows 10 build 1903. It's also end of life and has been replace with Always on VPN (AOVPN)

So, lets replace DA with AOVPN which uses a more traditional VPN (IPSec IKEv2) and allows it to be used with a third party firewalls etc.

Issues we encountered:

1. We can't have DNAT'd Microsoft AOVPN servers behind the UTM due to the UTM already using IPSec. There's no way to use additional IP's here.

2. I know.... let's use the UTM as the IPSec endpoint. Uh uh.... UTM doesn't support IKEv2

3. OpenVPN? Would be ideal but it doesn't deal with trusted networks and doesn't auto start if outside of a corporate network (unless somebody knows how?)

4. 3rd Party VPN client? Sophos IPsec client, NCP Entry client will work but look expensive. Cisco AnyConnect looks good too but there are licensing implications too.

5. L2TP/IPSec with Radius on the UTM and M$ built in client (with powershell) will work but I can't seem to get Computer authentication to work with it which leaves it open to potential abuse. User certs are a bit of a step too far for our IT Department. Be great if the M$ client could pass the computer name etc but it doesn't seem to do this.

 

So... looking for any ideas or suggestions here. Cheers.



This thread was automatically locked due to age.
  • 0

    I'm sort of leaning towards M$ SSTP now.

    I liked M$ DirectAccess because it went via IP-HTTPS but the M$ Always On Vpn uses the traditional IPSec ports as it's really just IPSec IKEv2.

    Now what Microsoft doesn't tell people, is that with Windows 10, you can configure their native client to do the same sort of thing via Powershell ie auto connect if no trusted network etc.

    So, SSTP can be used and the thing I like about SSTP (Secure sockets tunneling protocol) is that it runs over HTTPS and therefore has a greater chance of getting through most firewalls on guest networks whereas you can find that IPSec etc is blocked. OpenVpn would have been a good contender here but I couldn't find much about Radius Auhtentication and certainly nothing about trusted networks and auto-connect.

    We can also run the M$ RRAS DNAT'd the UTM because it allows you to select different additional IP's whereas IPSec or L2TP/IPSec doesn't.

    So, I now have SSTP running with Radius certificate authentication and just need to balance the connections up now as we have 2 ingress points so a little bit of group policy and powershell and hopefully good to go.

  • 0

    It looks like you've found a solution that works for you. Louis, but I wanted to leave more information about UTM Remote Access methods for future passers by...

    1. I don't think the Microsoft AOVPN client can deal with a DNAT, but that's a client limitation, not a UTM limitation.

    3. Consider How to Run Preconnect/Connect/Disconnect OpenVPN Scripts.

    4. The free Sophos Connect client that was developed for the XG also works with UTM IPsec Remote Access.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    AOVPN does work with the UTM using DNAT. It just won't DNAT if you are running IPSec on the UTM at the same time.

    AOVPN will also work with most 3rd party vendors (so you don't need to use M$ RRAS) as long as they support IKEv2 which the UTM doesn't.

    I'll certainly look at the OpenVPN scripts so thanks there.

    I didn't know there was a free Sophos Connect client. Do you have the details or where it can be download from?

     

    Louis

  • 0 in reply to Louis-M

    Windows: https://www.sophos.com/Pages/DownloadRedirect.aspx?downloadKey={454D0427-319A-4530-B38F-01B5C15DCA5C}

    Mac: https://www.sophos.com/Pages/DownloadRedirect.aspx?downloadKey={B3F3D3A9-289F-4938-B5EA-C6CBB7195684}

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Cheers Bob. We're actually quite liking the M$ SSTP at the moment.

    For anybody DNATing to M$ servers of any kind, I'd recommend using the IIS Crypto tool (from Nartac) to secure the ciphers etc eg disable SSLv3 and RC4 ciphers etc

Unfiltered HTML